diff --git a/rules/azure/defense_evasion_azure_service_principal_addition.toml b/rules/azure/defense_evasion_azure_service_principal_addition.toml
new file mode 100644
index 000000000..ce6fce76f
--- /dev/null
+++ b/rules/azure/defense_evasion_azure_service_principal_addition.toml
@@ -0,0 +1,58 @@
+[metadata]
+creation_date = "2020/12/14"
+maturity = "production"
+updated_date = "2020/12/14"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that
+accesses or modifies resources needs an identity created. This identity is known as a service principal. For security
+reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with
+a user identity.
+"""
+false_positives = [
+    """
+    A service principal may be created by a system or network administrator. Verify whether the username, hostname,
+    and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users
+    or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    """,
+]
+from = "now-25m"
+index = ["filebeat-*", "logs-azure.*"]
+language = "kuery"
+license = "Elastic License"
+name = "Azure Service Principal Addition"
+note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule."
+references = [
+    "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
+    "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal",
+]
+risk_score = 47
+rule_id = "60b6b72f-0fbc-47e7-9895-9ba7627a8b50"
+severity = "medium"
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
+type = "query"
+
+query = '''
+event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1550"
+name = "Use Alternate Authentication Material"
+reference = "https://attack.mitre.org/techniques/T1550/"
+[[rule.threat.technique.subtechnique]]
+id = "T1550.001"
+name = "Application Access Token"
+reference = "https://attack.mitre.org/techniques/T1550/001/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+